Author Archives: Royal Hansen

Why Google supports the US Securing Open Source Software Act

Open source software — code that is made freely available to the public to use or modify — is the foundation of the modern internet. It’s given us a world that is more innovative and more accessible. Yet the very openness that makes the digital world accessible to everyone, also leaves it uniquely vulnerable to security threats and cyber attacks.

At Google, we’ve been working to solve this paradox for years — and have arrived at the conclusion that modern digital security actually can come through embracing openness. We protect more people online than anyone, and we recently announced a $10 billion investment in making the internet safer and more secure. But with the dramatic rise of state-sponsored cyber attacks and malicious actors online, it’s clear that we not only need stronger public-private partnerships — but dynamic policy frameworks to shore up security for everyone.

That’s why we welcome efforts by the U.S. Government to advance open source software security, such as the Securing Open Source Software Act introduced in the Senate last month. This bipartisan bill proposes the creation of a framework to guide the federal government in their use of open source software. The proposed legislation reflects a helpful focus on security and cyber risk mitigation to respond to a recent spike in malicious cyber activity against the software supply chain.

We are glad to see a continued emphasis on the importance of open source software security from the U.S. Government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large.

The problem of securing open source

The world of open source software development allows collaboration and rapid innovation by sharing solutions freely. This community, built on openness and sharing, contributes an enormous amount of code to a majority of the applications we use today.

However, despite the benefits of this openness, the unprecedented scale of recent attacks has emphasized gaps in infrastructure and tooling and the need for improved transparency into the security practices and attributes of open source projects. Seemingly simple questions about the open source supply chain are still difficult to answer:

  • Does a project contain known vulnerabilities?
  • Are the project’s maintainers and community following security best practices during software development?
  • What open source dependencies are part of a particular piece of software?
  • How secure was the distribution supply chain?

Answering these questions requires specialized technical skills and capabilities, and given the primarily volunteer-driven nature of the open source community, we cannot expect open source developers to shoulder the full burden of advancing software security on their own.

Continued advances

Through our work with multiple industry collaborators, Google has helped create free tools, services and best practices to make it easier for the open source community to develop and distribute software securely, while providing consumers with information about the security of the software they use.

We envision a more secure future where the burden of security is shared, and there is increased trust in and resilience of the open source software ecosystem. To get there, we need freely available, automated solutions that make developer’s lives easier, such as:

  • Infrastructure that prevents tampering, by default, when software is being built and released
  • Advances in vulnerability discovery and management that automate finding, tracking and fixing bugs for developers
  • Seamless connections across sources of security data and tools for analysis so consumers can have meaningful insight into the security of their software

We’re currently working to make these solutions a reality, at scale, with little to no additional work for developers.

Sustaining the community

We hope that the framework that will emerge due to U.S. Government efforts drives further investments in open source communities by both the public and private sectors. We’re already seeing the impact of the $100M Google pledged to non-profit organizations and software foundations like the Open Source Security Foundation to support open source creators.

This pledge backs efforts like our “open source maintenance crew,” a team of developers who spend 100 percent of their time directly enabling critical open source projects to adopt key security improvements. It also supports our Linux Kernel team, which continues to drive efforts to eliminate entire classes of bugs from open source code, including paving the way for greater memory safety using the Rust language.

We encourage other major consumers of open source to follow this lead and directly invest both funds and developer time in securing open source projects and ecosystems. Furthermore, we call on other major consumers of open source, both public and private, to implement similar policies around safe open source usage as well.

Securing open source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem.

How Congress’ anti-tech bill undermines security

We’re concerned that Congress is considering legislation that would compromise Google's ability to keep users secure by default, as well as break popular features in products like Search and Maps. We’ve previously outlined how this proposal could make our services less helpful and less secure, while not addressing the issues Americans care about most — like privacy, child safety and inflation. As experts gather for the RSA Conference this week, I wanted to share my perspective as a security professional on the real risks that this legislation poses for US security.

Our security teams work around the clock, around the world, to identify and stay ahead of threats to our users and platforms. On a typical day, Google blocks more than 100 million phishing attempts across our platforms and tracks over 270 government-backed threat actors from more than 50 countries. This work requires us to make judgment calls quickly, based on indicators and alerts from a huge variety of sources. We don’t always find fire where there’s smoke. But we do prevent millions of attacks from succeeding — and responding to the smoke without hesitation is critical to protecting millions of internet users.

A bill introduced in the Senate (S. 2992) could hurt our ability to make quick decisions to keep our products secure, requiring us to ask: would thwarting a potential bad actor violate the law and open us up to legal liability? Even pausing to ask the question would leave millions of users vulnerable for precious minutes while a potential security threat persists. And when it comes to cybersecurity, every second counts.

Here are just a few ways the legislation would undermine our ability to keep people safe:

Harming a security-by-default approach

First, because the bill bans basic product integration, we might not be able to secure our products by default. This is problematic because modern threat actors don’t just seek to exploit one user, service or system in isolation. They look for weak links, and their behavior is harder to detect when their activities are spread across multiple providers. That’s why we build systems with integrated security defenses. For example, to counter a phishing attack, we rely on built-in spam filtering, malware scanning, link analysis, two-step verification for accounts, password alerts … the list goes on. Under the legislation, these seamless integrations could be prohibited simply because competitors offer their own versions of spam filtering, malware scanning and other security services. The bill could even require us to open our systems to untrusted and potentially vulnerable rival services.

Opening our products to bad actors

Second, the bill would require us to allow outside parties to “access or interoperate” with our “platform, operating system, hardware and software features.” This broad mandate to open our systems may have been written with domestic rivals in mind – but it would inevitably be exploited by foreign companies looking to understand US technical infrastructure, and access data from American businesses and citizens. As national security leaders have warned:“Unfettered access to software and hardware could result in major cyber threats, misinformation, access to data of U.S. persons, and intellectual property theft.”

Rolling back efforts to fight disinformation

Third, by prohibiting us from “discriminating” against competitors, the bill would prevent us from taking action against purveyors of malicious content. Since Russia invaded Ukraine, we have been able to move quickly to limit Russian propaganda and disinformation, even as that content has migrated to new channels. The proposed legislation could undermine this work.

Failing to address valid security concerns

Finally, this bill would create a legal environment that encourages companies to err on the side of not protecting users – and recent changes to the bill exacerbate these underlying security concerns. For example, the revised bill says that we don’t have to interoperate with or provide access to data to entities who pose “clear” and “significant” security risks. But this assumes that we know in real time which risks are significant, and could prohibit us from blocking moderate or emerging security risks that don’t obviously meet the bar of a “significant” threat. Another recent change says that we don’t have to open our platforms up to businesses backed by the Chinese government. But this ignores the fact that modern threat actors use compromised third-parties or shell companies to conduct operations, where attribution can be slow and difficult.

We understand there’s an appetite for global regulation, and we support balanced, thoughtful legislation to solve important issues such as consumer privacy and child safety online. But this legislation would fundamentally harm our ability to stay ahead of threats and keep the billions of people who use our products secure. We strongly urge Congress to consider these unintended consequences before moving forward.

Building a secure world

The following is adapted from remarks delivered by Royal Hansen, Vice President of Engineering for Privacy, Safety and Security during his keynote United in Cyberpower: The Role of Companies in Building a Cybersecure World at Cybersec Europe 2022 in Katowice, Poland.

I believe cybersecurity is one of the top issues facing the world today and I’d like to share a bit about why it’s so important for companies, countries, and communities of all sizes to work together.

This is particularly true right here in Central and Eastern Europe where the Russian invasion of Ukraine has brought these issues into sharp focus. I’m honored to be here today and to get to meet with so many of you who are working on this day in and day out.

As governments in this region and elsewhere in the world tackle this issue we want to ensure we are doing everything we can to support those efforts. Google’s mission has always been about organizing the world's information and making it universally accessible and useful. The work we’re doing to ensure people can get access to quality information–and do so safely–has never been more important than it is today.

Securing users in Ukraine and the broader region

As the Russian invasion of Ukraine unfolded, Google mobilized to help the people of Ukraine and protect the security of our users and services – an area where we are uniquely positioned to help in this conflict.

We have our own specialized teams dedicated to identifying, tracking, and countering threats from government-backed actors.

Russia-backed hacking and influence operations are not new to us; we’ve been tracking and taking action against them for years. To put this into perspective, we’ve seen and worked to disrupt Russian operations targeting the U.S. elections in 2016 and 2017 and campaigns targeting the 2018 Olympic games. In October, we blocked a Russian campaign targeting 14,000 Google users.

And we’ve seen first hand the targeting of Ukraine by Russia. It has been ongoing for years with both espionage and occasional cyber attacks tracked by our teams. As the war intensified, we also saw Russian threat actors shift focus to targets elsewhere in Eastern Europe.

Our Threat Analysis Group (TAG), regularly publishes details on campaigns it detects, and disrupts these efforts to help governments and private sector companies better defend their systems.

We’ve seen threat actors beyond Russia shift their focus and targeting, including a growing number of threat actors using the war as a lure in phishing and malware campaigns. This includes government-backed actors from China, Iran, North Korea, Belarus and financially-motivated, criminal actors using current events as a means for targeting users.

For example, we’ve seen one cyber crime group impersonating military personnel to extort money for rescuing relatives in Ukraine.

In addition to disrupting threats, we are doing everything we can to increase protections for high risk users and organizations in Ukraine. We’ve redoubled our efforts to offer free tools to help – including protecting hundreds of high risk users on the ground with our Advanced Protection Program, and expanding eligibility of Project Shield to include the Ukraine government. Shield is currently protecting over 200 websites in Ukraine from distributed denial of service attacks.

It is in this spirit of action that we are expanding our partnerships and investment in the broader region on cybersecurity.

In fact, this week a delegation of our top security engineers and leaders are on the ground across Eastern Europe to provide hands-on training to high risk groups, deliver security keys and support local businesses as they look to improve their security posture.

To share what we know about the threat, we are engaging in technical exchanges with governments in the region.

We’re providing free tools and expertise to democratic institutions and civil society, such as the Protect Your Democracy Toolkit - which we launched today in partnership with our Jigsaw team.

We’re also investing in, and shaping, the next generation of cybersecurity professionals. For example, Google has committed to provide scholarships for 150,000 people in Europe, the Middle East and Africa through the new Google Career Certificate training.

We’re also helping governments and businesses stay ahead of the threat, including helping government agencies, companies and utilities who rely on outdated hardware and software to replace old systems with better foundations and we are here to build up businesses and governments’ confidence to embrace digital transformation securely.

Google’s approach to security

We believe we are uniquely positioned to help users, organizations, and governments in this region because of our approach to security.

First, we focus on the basics. We bake in security from the beginning instead of bolting it on as an afterthought and we design helpful products that are secure by default for our users. In fact, we are the first consumer tech company to automatically turn on 2 step verification, our version of multifactor authentication, or MFA, for our users. We recommend businesses and governments focus on these fundamentals as well.

Second, we take an open and interoperable approach to security, and we invest to ensure this model of the Internet as a whole is protected. In today’s interconnected environment, our collective security is only as strong as the weakest link. Our business cannot thrive if people don’t feel safe online. That’s why we design solutions that eliminate entire classes of threats from being effective both on our platforms, and across the Internet as a whole.

Finally, and perhaps most importantly – we are looking at the future of cybersecurity and investing in advanced, state-of-the-art capabilities. We know that cyber threats evolve quickly – as soon as a new technology is introduced or adopted, there are threat actors and cyber criminals looking for ways to exploit it. That’s why it’s not enough to just stay a few steps ahead of the threat.

We need to invest in the future of technology, from cutting-edge artificial intelligence capabilities, to advanced cryptography, to quantum computing – our teams are already working on the future of cybersecurity. And we see it as part of our mission to ensure that we open source and share these findings so that organizations and governments can stay ahead of the latest cyber threats.

Security-proofing our tech policies

Our approach enables us to weather online security threats. But advanced capabilities are not enough if government policies inadvertently undermine our ability to protect users.

I support smart tech regulation, which can fuel the vitality of the Internet and ensure technology is meeting society's needs. Unfortunately, some technology regulation is not adequately considering the impact to safety and security efforts online.

For example, some policies seek to limit sharing of data between different services on platforms’ like ours, but overly-broad bans on cross-platform data sharing also have significant implications for the threat intelligence work I mentioned earlier.

The ability to share intelligence on threat actors and their technical signatures helps identify and stop the work of threat actors and cybercriminals. It protects not just one company or two companies, but the Internet as a whole.

To realize the full benefits of technology to society, society must be able to trust that the technology they are using is safe and secure. By ensuring security has a seat at the table in these policy discussions, we can strike this balance and unlock technology’s full potential. Today’s conflict and challenges point to a need for better cooperation and giving technical experts a seat at the table in these policy discussions.

We applaud the Declaration for the Future of the Internet, which calls on governments and industry to protect a future for the Internet that is open, free, global, interoperable, reliable, and secure.

At our core, Google is an Internet company, and our fate is tied to the Internet remaining true to these principles. The internet itself is a multi-stakeholder system, and protecting users and citizens online requires cooperation among us, governments and businesses.

It’s never been more urgent, and our ability to make a difference is greater than anyone anticipated. We all must work together to protect this future, whether that means combating cyber threats, building safe technologies that unlock society’s full potential, or developing responsible technology policies.

We stand ready to partner with governments, businesses, and individual users to see this future secured.

New action to combat cyber crime

Today, we took action to disrupt Glupteba, a sophisticated botnet which targets Windows machines and protects itself using blockchain technology. Botnets are a real threat to Internet users, and require the efforts of industry and law enforcement to deter them. As part of our ongoing work to protect people who use Google services via Windows and other IoT devices, our Threat Analysis Group took steps to detect and track Glupteba’s malicious activity over time. Our research and understanding of this botnet’s operations puts us in a unique position to disrupt it and safeguard Internet users around the world.

We’re doing this in two ways. First, we are coordinating with industry partners to take technical action.

And second, we are using our resources to launch litigation — the first lawsuit against a blockchain enabled botnet — which we think will set a precedent, create legal and liability risks for the botnet operators, and help deter future activity.

About the Glupteba botnet

A botnet is a network of devices connected to the internet that have been infected with a type of malware that places them under the control of bad actors. They can then use the infected devices for malicious purposes, such as to steal your sensitive information or commit fraud through your home network.

After a thorough investigation, we determined that the Glupteba botnet currently involves approximately one million compromised Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day. Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.

Technical action

We coordinated with industry partners to take technical action. We have now disrupted key command and control infrastructure so those operating Glupteba should no longer have control of their botnet — for now.

However, due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users. .

Legal Strategy & Disruption

Our litigation was filed against the operators of the botnet, who we believe are based in Russia. We filed the action in the Southern District of New York for computer fraud and abuse, trademark infringement, and other claims. We also filed a temporary restraining order to bolster our technical disruption effort. If successful, this action will create real legal liability for the operators.

Making the Internet Safer

Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations. The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it.

Our goal is to bring awareness to these issues to protect our users and the broader ecosystem, and to prevent future malicious activity.

We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We have teams of analysts and security experts who are dedicated to identifying and stopping issues like DDoS, phishing campaigns, zero-day vulnerabilities, and hacking against Google, our products, and our users.

Taking proactive actions like this are critical to our security. We understand and recognize the threats the Internet faces, and we are doing our part to address them.

Our work to keep you safe online is never done

At Google, we keep more people safe online than anyone else with products that are secure by default, private by design and put you in control of your data. To celebrate Cybersecurity Awareness Month, we’ve introduced new features and technologies that keep your data private and secure.

Protecting your privacy with products that are secure by default

Protecting your privacy starts with the most advanced digital security. That’s why we make our products secure by default and help keep your data safe with customized recommendations in Security Checkup, an easy, personalized way to secure your Google Account. So whether you’re browsing the web, managing your inbox, or sharing your vacation photos, we’re keeping you safe with automatic protections built right into our products. Today we’re excited to share some new security products and features:

  • Introducing the New Security Hub on Pixel: The Security Hub brings all your security-related features and settings into one place on your Pixel device. In the hub, you'll see a clear red, yellow, or green indication of whether your system is secure based on inputs from Google Play Protect to your Google Account. If there's something wrong, the Hub will give you straightforward recommendations of what's wrong and what to do next. This feature is currently only available on Pixel devices, but we have plans to roll this out to our entire ecosystem in the future.
  • Google Fi Announces End-to-End Encrypted Calls: On top of built-in VPN and spam blocking features included in all phone plans, Google Fi is introducing end-to-end encrypted calls. One-to-one calls between Android phones on Fi will be secured with end-to-end encryption by default when they become available in the coming weeks, so your phone conversations stay between you and the person you're talking to.
  • Google One Announces VPN Expansion to New Countries: VPN by Google One keeps your network activity safer from hackers and online eavesdroppers. Already available on Android for Google One members on Premium plans (2 TB and higher) in Canada, France, Germany, Italy, Mexico, Spain, the United Kingdom, and the United States, starting today, we’ll begin rolling out the VPN in 10 more countries: Austria, Belgium, Denmark, Finland, Iceland, Ireland, the Netherlands, Norway, Sweden and Switzerland.
  • New Safe Browsing in Android Messages & Chat: Enables stronger protections against phishing and malware attacks, checks uncommon URLs in real-time to assess threats, and temporarily links data to your Google Account to offer tailored protection.
  • Chrome HTTPS-First Mode: HTTPS is a secure and private way for users to communicate with websites, reducing the risk of threats like network eavesdropping. With HTTPS-First Mode activated, Chrome will upgrade its connection to all pages a user visits to HTTPS. If HTTPS isn’t supported, the user will be shown a warning before loading a site with a less secure connection.

Building products that are Private by Design

Protecting user privacy is core to how we conceptualize, design, and build our products. This means continuously making thoughtful decisions about when, how, and why data is used in our products – and minimizing data use and retention when possible.

That’s why we’ve worked to create and open source privacy preserving technologies like Differential Privacy and Federated Learning. These technologies allow us to give you a customized experience without identifying individuals and while minimizing the amount of data that’s collected.

Ephemeral Learning is another privacy preserving technology that we’ve used to help train the models that power some of our most helpful features. Ephemeral Learning is a privacy-preserving technique that applies to cases where the training model runs on Google’s servers. Incoming data samples are stored in short-term memory for a training algorithm to learn from, and then they’re deleted within minutes. These samples are processed without any additional user signals, and without humans ever looking at the data. This technique allows us to train the models that power features like voice-to-text transcription while preserving privacy and reducing the amount of data stored.

We’ve also recently developed and open sourced Private Set Membership – a privacy preserving technology that makes it possible for an individual device to check membership against a dataset while maintaining the privacy of both the device and the dataset. This builds on our previous work on Private Join and Compute. As always, we’re committed to open sourcing and making these technologies widely available for developers around the world.

You’re in Control with Powerful Privacy and Security Settings

You should be able to choose the privacy settings that are right for you, with controls that are easy to use and understand and available right in the product when you need them. That’s why we created one place to manage settings in your Google Account, introduced Auto-Delete options, and created controls that appear in context when you’re using our products.

Back in May, our Photos team introduced Locked Folder on Pixel - a passcode-protected space where you can save photos and videos separately, so they won't show up as you scroll through Google Photos or any other apps on your device. We’re excited to share that this feature is coming to Google Photos on Android soon, and to iOS early next year.

locked folder GIF

In May, our Photos team introduced Locked Folder on Pixel - a passcode-protected space where you can save photos and videos separately.

October may be Cybersecurity Awareness Month, but our work to keep you safe online is never done. Visit our Safety Center to learn all the ways we’re making every day safer with Google.

Supporting the first #ShareTheMicInCyber Fellowship

Keeping people safe online requires more than just advanced security technology, it requires people.

Google’s security teams are made up of some of the world’s greatest hackers, developers and leaders. Day in and day out they work to keep our users and our Googlers information safe and secure.

There is no one size fits all security practitioner and we believe that diversity is key to building effective security teams. As Cybersecurity Awareness Month comes to an end, I’m thrilled to announce that Google is furthering its support for #ShareTheMicInCyber by investing in the the #ShareTheMicInCyber Fellowship.

Founded by Googler Camille Stewart and Harvard Kennedy School’s Lauren Zabierek #ShareTheMicInCyber began as an online conversation between Allies and Black cyber practitioners on Twitter and LinkedIn, and transformed into a social media phenomenon that highlights the experiences and expertise of Black practitioners in the field, features their accomplishments and creates a critical conversation on race in the industry.

The #ShareTheMicInCyber Fellowship, developed in partnership with New America is the first of its kind and will build on the work of previous #ShareTheMicInCyber campaigns by creating a program for Black cyber practitioners to further their career goals, build on their networks and pursue new opportunities. #ShareTheMicInCyber Fellows will conduct policy research and analysis, explore cybersecurity field issues from important perspectives and address the human side of cybersecurity, both from policy and technical aspects.

As part of Google’s commitment to strengthen the security workforce, we are proud to support the critical mission of #ShareTheMicInCyber by funding the first year of the fellowship and pledging to a total of five years of funding. The #ShareTheMicInCyber and New America teams will develop the fellowship program, which is expected to launch in 2022.

As modern cybersecurity threats evolve into new and more dangerous attacks - and as the industry seeks skilled workers - we need an arsenal of different ideas that represent all backgrounds. The #ShareTheMicinCyber Fellowship will amplify diverse talent and bring new voices and ideas to the industry and ultimately make us all safer and more secure.

Today, we #ShareTheMicInCyber

We know diverse security teams are more innovative, produce better products and enhance an organization's ability to defend against cyber threats. 

This is part of why Googler Camille Stewart cofounded #ShareTheMicInCyber, an initiative that pairs Black security practitioners with prominent allies who lend their social media platforms to the practitioners for a day. The goal is to break down barriers, engage the security community and promote sustained action to eradicate systemic racism.

Today, cybersecurity and privacy practitioners across Google and industry are elevating the voices and expertise of Black women who specialize in cybersecurity and privacy as part of #ShareTheMicInCyber’s Women’s History Month campaign. 

I’m honored to #ShareTheMicinCyber with a few of the Black women security and privacy practitioners I work alongside everyday at Google.

Camille Stewart

Camille Stewart, Head of Security Policy, Google Play + Android

“I work in this space to empower people in and through technology by translating and solving the complex challenges that lie at the intersection of technology, security, society and the law. 

Security is core to everything we do here. As creators of technology, we work to be intentional about how we build and educate users on safety and security. To do this effectively, we must be more intentional about diversity. More often than not, I am the only woman and only person of color in meetings where decisions are being made. To make truly inclusive technology and combat abuse, we need a diverse workforce.

I believe technical and policy mitigations to cybersecurity challenges will never reach their full potential until systemic racism is addressed and diverse voices are reflected among our ranks at all levels. That’s why I co-founded #ShareTheMicInCyber. ”

Brooke Pearson

Brooke Pearson, Program Manager for Chrome Privacy Sandbox 

“I work in security and privacy to protect people and their personal information. It’s that simple.

At Google, we’re tackling some of the world's biggest security and privacy problems, and everyday my work impacts billions of people around the world. Most days, that's pretty daunting, but it's also humbling and inspiring.

If we want to encourage people to engage in more secure behavior, we have to make it easy to understand, easy to act on and inclusive. 

I’m proud to work for a company that promotes active allyship and has stepped forward in such a prominent way to support Black women security and privacy professionals through the #ShareTheMicInCyber campaign.”

Michee Smith

Michee Smith, Product Manager, Privacy, Safety & Security

“Protecting user data is core to our mission. We build privacy into everything we do, which is why I am so passionate about my job. I work on products that make it easier for users to understand and control what happens with their data. My interest in this work was sparked when I learned how nuanced and technical these topics are, and how much they impact people.

For me, relationships and representation in tech really matter. Oftentimes, people of color don’t see people who look like us in these roles and on stages. There’s a sense of gratitude, belonging and relief to see someone who looks like you. I want to show up to help others imagine themselves in similar roles — that’s why I’m a huge fan of #ShareTheMicInCyber. This initiative is lifting people and communities up and creating an echo chamber that can be heard beyond cyber to the technology industry as a whole.”

Esther Ndegwa

Esther Ndegwa, Program Manager Security,  Privacy, Safety & Security

“My passion for security lies in the challenges the industry faces — especially with regard to the evolving expectations and requirements we face to protect data wherever it is. 

The right place to start is to ensure we define our principles through policy.

To get security right requires diverse thinking, drawn from different backgrounds and perspectives. I often encourage minority professionals in technology, who are starting off their career, to explore opportunities in security. 

For me, nothing resonates more than hearing someone tell their story and #ShareTheMicInCyber has created a much needed platform for amplifying those stories. While there is still work to be done to make the security industry more diverse, I believe that having conversations like these makes a big difference.”

I encourage you to follow, share, and retweet #ShareTheMicInCyber on Twitter and LinkedIn, today, March 19. By strengthening our commitment to racial equity and inclusion we can build safer and more secure products for everyone.

If you are interested in participating or learning more about #ShareTheMicInCyber, you can visit the site

Making every day safer with Google

People around the world use Google products every day to help with things big and small — whether it’s teaching an online class full of students using our Workspace apps or paying for coffee withGoogle Pay. Keeping you safe online means continuously protecting the security and privacy of your information. The safety of our products is driven by three core principles: treating your information responsibly, protecting it with world-class security and keeping you in control. 

Today, as we celebrate Safer Internet Day, we’re sharing the progress we’ve made to create a safer internet, and how we’ll continue to innovate so that every day you’re safer with Google. 

How we keep you safe in the products you use every day

In 2020, an Ipsos survey found that more than50% of Americans said they had become more concerned about their online safety than ever before. And we saw this reflected in what people searched for in 2020:

  • People were searching how to strengthen their online security.Searches for “online safety tips” increased by 250% in 2020, and searches for “how strong is my password” increased by 300% in 2020.
  • People were searching for reassurance about their online behaviors. “Is shopping online safe” was searched twice as much in 2020 than 2019. The most common inputs for searches of “Is [blank] online safe” in 2020 were: “Is ordering online safe,” “Is using a debit card online safe” and “Is buying online safe.”

An animation showing how Google is keeping users safe and secure.

We understand your concerns, and that’s why we provide automatic protections across all of our products to ensure no matter what you’re doing — browsing the web, managing your inbox or seeing family on Meet — we’re keeping you safe. And security has been core to making these services safe: Safe Browsing protects more than four billion devices, Gmail blocks more than 100 million phishing attempts every day and Google Play Protect scans over 100 billion apps every day for malware and other issues. 

We also help keep your data safe with customized recommendations in Security Checkup, an easy, personalized way to secure your Google Account. And Password Checkup helps to keep you and your passwords safe not just on Google, but across the web — since launch in 2019, we’ve seen a 30% reduction in breached credentials. 

Together with Stanford, Google explored what factors make someone targeted by email scams. We found that multiple factors correlate with higher risk: where you live, what devices you use and whether your information appeared in previous third-party data breaches. You can read more about this research on the Cloud blog.

Google Fi VPN exits beta on Android and will expand to iPhone  

Today, Google Fi announced that the Fi VPN for Android is exiting beta and is expanding to iPhone, which means you can get the benefits of the VPN on all phones while also getting a faster, stronger connection across your apps and services. The Fi VPN helps you stream, browse and download on an encrypted, private connection — so you can have peace of mind knowing that websites can’t use your IP address to track your location, and you’re shielded from hackers even while you’re using unsecure networks, like public Wi-Fi. 

Bringing election security support with Advanced Protection Program to U.S. states

As we have in previous elections, in the many months leading up to U.S. Election Day 2020, we’ve made it a priority to equip campaigns with the tools they need to strengthen their own security, protect themselves against digital attacks and reach voters. We helped Defending Digital Campaigns (DDC) distribute more than 10,000 Advanced Protection kits to more than 140 Federal campaigns ahead of the 2020 elections. Today we announced we’re expanding our collaboration with DDC to extend beyond federal campaign efforts to include security training and tools for state Parties and campaigns. Our Advanced Protection Program delivers the strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts.

In addition to our continued work with DDC, we’re also announcing  the launch of a new cybersecurity training initiative, Cybersecurity for State Leaders, driven by the National Cybersecurity Center and supported by Google. This program aims to educate state lawmakers and staff on ways to strengthen their defenses against digital attacks. The training will be conducted in all 50 states over the course of 2021, with a targeted focus on state legislators and their staff.

We have been at the forefront of keeping people safe online for the last 21 years, and we plan to keep it that way. Check out our top five safety tips and visit our Safety Center to learn all the ways Google helps you stay safe online, every day.